SitePoint Sponsor

User Tag List

Results 1 to 4 of 4

Hybrid View

  1. #1
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    magic_quotes_gpc confusion

    Hello all,
    I need some help getting this understood.
    I got magic_quotes_gpc on by default on my host, and i cannot change it from anywhere, the only way i can change it is adding the stripslashes function, but in the same time i also must use mysql_real_escape.
    So i came across a problem, i got a form where ppl can uplaod comments, each newline gets transferred to <br>, however the function nl2br fails to transfer anything after i use both functions above.

    So i tried a few ways (all fail, need explanation on why and how to solve)
    1) adding stripslashes and right after that mysql_real_escape
    result: backslashes banish but nl2br function fails to add newlines.
    2) using only mysql_real_escape
    result: nl2br fails and backslashes are there.
    3) using only stripslashes
    result: nl2br success but regular backslashes added by the user are vanished, also as i read guides i see that its not safe not using mysql_real_escape, altho i dont know about the particular case where magic_quotes are on
    4) using neither functions.
    result: everything's get uploaded as expected, but same as 3, not sure about the security when mysql_escape is not used.

    Any ideas?
    Thanks.

  2. #2
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,495
    Mentioned
    161 Post(s)
    Tagged
    4 Thread(s)
    At the top of the script, use strip_slashes.

    Only on the values you will use for database stuff, use mysql_real_escape_string.
    PHP Code:
    $sql "
      SELECT 
          ...
      FROM tablename
      WHERE name = '" 
    mysql_real_escape_string($_POST['name']) . "'
    "

    Use nl2br only when you want to display the value to the user (and not in a textarea):
    PHP Code:
    echo nl2br($_POST['name']); 
    If you want to sanitize the user input before outputting it to the screen, take a look at PHP functions like strip_tags

  3. #3
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I was actually planning on inserting the input to the database with brs so when displaying i wont have to call the <br /> function on every comment box, then when someone wants to edit their post (via textarea) ill use a reverse function such as :
    str_replace('<br />','',$post)
    and the newlines will be there since the \r\n are not removed.

  4. #4
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,832
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by ulthane View Post
    I got magic_quotes_gpc on by default on my host, and i cannot change it from anywhere,
    Most web hosts allow customers to change PHP configuration settings using a php.ini file. You would create a php.ini file and stick this line in it:

    Code:
    magic_quotes_gpc = Off
    If your web host does not allow you to make simple configuration changes to shut off that annoying and stupid magic quotes, you need to find a better web hosting company.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •